2 Answers
2

Since Wordpress is so popular there are a lot of drive by hacks knocking around taking advantage of flaws in basic security. All Wordpress users should take the following basic and easy steps to protect themselves:-

Do not use wp_ as the database table prefix, use any string of random characters that appeals.

Remove <meta name="generator" content="WordPress X.X.X" /> from your site's header by placing remove_action('wp_head', 'wp_generator'); in your functions.php file (drive by attackers will not have an easy way to find which version they are targeting).

I run about 10 different Wordpresses and have found the WP-Security plugin and account from website defender invaluable, it scans your site regularly and reports on security errors, malware, and even page errors via email so you can be assured that you know when something goes wrong.

WP-Firewall is also very useful for defense against 0-Day exploits and VirusTotal is handy if you suspect an infection.

You should also sign up to webmaster tools, but if you suspect an infection, take all steps to find and clean it up first or you may end up with Google warning your users that yours is a reported attack site.

If it detects an infection Google will send an email to all of the following addresses abuse@, admin@, administrator@, contact@, info@, postmaster@, support@, webmaster@ so you should ensure that you have at least one of these in place and monitored.

Paid Removal Services / Where To Get Help

There are also a number of sites which offer paid malware removal services, I would be very suspicious of these - many appear to be scams of one sort or another.

Can you elaborate on what the blank htaccess file in wp-admin does?
–
joshuahedlundApr 24 '12 at 18:58

@joshuahedlund it was designed to block an attack which attempted to write a htaccess file into the wp-admin directory. I will be updating this advice shortly with some new code to password protect that area of the site and block access to it entirely.
–
toomanyairmilesApr 24 '12 at 20:10

You need to completely remove every file from your website and do a fresh install of Wordpress. The odds are they uploaded files that allow them continuous access to your site. Unless you want to go file by file trying to figure out which one(s) they are a complete install from scratch is the best thing you can do.